Network Access Controls (NAC) are widely used to provide endpoint security typically complementing existing application-based security controls. NAC security mechanisms, for instance firewalls, are routinely prescribed as requirements for compliance to security standards such as PCI-DSS and ISO 27000. However, the effectiveness of a NAC configuration may be hampered by poor understanding and/or management of the overall security configuration, which may in turn, unnecessarily expose the enterprise to known security threats. New threats and/or service requirements often result in firefighting by ad-hoc modification to an already large and complex configuration. This complexity is further compounded by the diverse range of NAC mechanisms used to secure an enterprise; ranging from firewalls and proxies to NAC-style controls within applications themselves. As a consequence, it can be difficult to ensure that the current NAC configuration is effective, that is, it sufficiently mitigates threats while providing necessary access to services. Ensuring ongoing best-practice NAC administration can be costly as it requires up to date expert knowledge in a rapidly changing field.
We use Ontology Engineering techniques to provide expert and automated support for the management of NAC configurations. A knowledge base is being developed that contains detailed prescriptions for NAC configurations that are compliant with security standards and best practices. These catalogues of best practice describe how known threats are mitigated by NAC configurations and are continually updated to reflect newly discovered vulnerabilities and revisions to best practice.
This work grew from a sabbatical at IBM, and the project was supported by Science Foundation Ireland, as part of FAME.
- Fitzgerald, W. M., & Foley, S. N. (2013). Avoiding Inconsistencies in the Security Content Automation Protocol. In 6th IEEE Symposium on Security Analytics and Automation. Retrieved from http://simonfoley.org/pubs/safeconfig2013.pdf [link]
- Foley, S. N., & Fitzgerald, W. M. (2012). Decentralized Semantic Threat Graphs. In Data and Applications Security and Privacy XXVI - 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France, July 11-13,2012. Proceedings (pp. 177–192). https://doi.org/10.1007/978-3-642-31540-4_14 [link]
- Fitzgerald, W. M., & Foley, S. N. (2011). Reasoning about the Security Configuration of SAN Switch Fabrics. In 4th Symposium on Configuration Analytics and Automation, SafeConfig 2011, Arlington, VA, USA, October 31 - November 1, 2011. https://doi.org/10.1109/SafeConfig.2011.6111673 [link]
- Foley, S. N., Fitzgerald, W. M., & Adams, W. M. (2011). Federated Autonomic Network Access Control. In 4th Symposium on Configuration Analytics and Automation, SafeConfig 2011, Arlington, VA, USA, October 31 - November 1, 2011. https://doi.org/10.1109/SafeConfig.2011.6111668 [link]
- Fitzgerald, W. M., & Foley, S. N. (2011). Reasoning about the Security Configuration of SAN Switch Fabrics. In 4th Symposium on Configuration Analytics and Automation, (SafeConfig), Arlington, VA, USA. Retrieved from http://simonfoley.org/pubs/safeconf2011.pdf [link]
- Foley, S. N., & Fitzgerald, W. M. (2011). Management of security policy configuration using a Semantic Threat Graph approach. Journal of Computer Security, 19(3), 567–605. https://doi.org/10.3233/JCS-2011-0421 [link]
- Foley, S. N., & Moss, H. (2010). A risk-metric framework for enterprise risk management. IBM Journal of Research and Development, 54(3), 3. https://doi.org/10.1147/JRD.2010.2043403 [link]
- Fitzgerald, W. M., & Foley, S. N. (2010). Management of heterogeneous security access control configuration using an ontology engineering approach. In 3rd ACM Workshop on Assurable and Usable Security Configuration, SafeConfig 2010, Chicago, IL, USA, October 4, 2010 (pp. 27–36). https://doi.org/10.1145/1866898.1866903 [link]
- Foley, S. N. (2009). Security Risk Management using Internal Controls. In ACM Workshop on Information Security Governance. Retrieved from http://simonfoley.org/pubs/wisg2009.pdf [link]
- Foley, S. N., & Fitzgerald, W. M. (2009). An Approach to Security Policy Configuration Using Semantic Threat Graphs. In Data and Applications Security XXIII, 23rd Annual IFIP WG 11.3 Working Conference, Montreal, Canada, July 12-15, 2009. Proceedings (pp. 33–48). https://doi.org/10.1007/978-3-642-03007-9_3 [link]